This section provides an overview of the different BCB authorization areas and measures that are required their protection.
Calling the BCB administration page that is part of the Web application "bcbadm" and changing the BCB settings, e.g. changing the contact center URL, is allowed to J2EE Engine users with administrator privileges only (see note 752579).
Working with the CCS User Interface that is part of the web application “ccsui” is allowed to J2EE Engine users with administrator privileges only.
Within every SOAP message header there is a parameter for the user who requested a specific function, e.g. drop a phone call or send an email. Thus, the receiving system has the possibilty to check the authorization of this user for invoking the function.
The ICI queries SAP J2EE Engine installation data such as host name and http port at runtime using the SAP J2EE Engine adminadapter service. This information is needed to let the contact center software know where to send back its SOAP messages signaling status changes of phone calls, messages, chat sessions and contact center agents.
Since using the adminadapter service at runtime is allowed for users with administrator rights only, a new security role BcbAdmin mapped to the server role administrators is defined in the deployment descriptor ejb-j2ee-engine.xml of the ICI application tc~bcb~ici.
This role BcbAdmin is then used in the run-as-element in the deployment descriptor ejb-jar.xml of the ICI application tc~bcb~ici to ensure that the ICI is running with administrator rights when querying host and port of the actual SAP J2EE Engine installation.